WASHINGTON – Cybersecurity researcher Chris Vickery realized last week that he had just discovered a data breach exposing the personal information of dozens of men and women who go to work daily on military bases and work directly with U.S. special operations forces. He contacted the principals of the private subcontractor involved to alert them that their online data was vulnerable.

Vickery, who writes a security blog about data breaches, said he emailed the co-founders of Potomac Healthcare Solutions in Woodbridge, Va., telling them who he was, what he’d found and his non-harmful intent. He had home and email addresses, Social Security numbers, government contracts and invoices and lists of units and bases. He even found a handwritten list of email passwords, he said.

To demonstrate the extent of the breach, he said he attached a loan application document he’d found among the 11 gigabytes of compromised data. It contained, personal information of the two principals, including the cellphone number he’d used to initially call one of them.

An hour later the data was still exposed. There was no firewall, Vickery said, and the data wasn’t password protected. He reached out to a contact he had in government that he’d worked with on other breaches.

He said the data came down 30 minutes later.

He never heard back from Potomac Healthcare.

“I didn’t get any acknowledgement,” he said. “I didn’t get any questions; I didn’t get anything from them. I can’t even prove they received an email.”

Potomac Healthcare and the company that subcontracted their services for the military, Booz Allen Hamilton, have issued statements acknowledging that they are investigating the breach.

Booz Allen, which is a key holder of classified government contracts, has had a number of high profile breaches involving government information in recent years including one by employee Edward Snowden, who stole and released a trove of classified U.S. information gathering data in 2013 and fled the country.

Potomac released a statement Thursday saying it had completed its investigation and while “the impacted server did not contain any classified government information or protected medical or personal data related to active duty military personnel or their families,” files with data of Potomac employees had been breached.

“While we have no evidence to suggest that any employee information has been used inappropriately, Potomac is in the process of proactively reaching out to impacted employees to provide guidance on how they can protect themselves” it said.

The breach lays bare how a security lapse at a private subcontractor could compromise professionals who work directly alongside the military and enter bases every day. At a time when U.S. intelligence agencies are calling out Russia for attempting to sway the elections with state-sponsored cyberattacks, small-scale breaches that can create unseen vulnerabilities are far more commonplace. And it raises questions about the responsibility of private companies that contract with the government.

Albert Krachman, a government contracts lawyer and a partner in the Washington-based law firm Blank Rome LLP, said the laws and regulations governing cyber protection were beefed up last year and require government or military contractors and subcontractors to ensure their data is protected. The fact that the compromised data did not belong to military employees might mitigate the responsibility, but he thinks that the companies would still be in violation of contractual rules.

“Certainly the defense industry is on the leading edge of imposing broad-based cybersecurity requirements throughout its supply chain and this certainly would appear to qualify as a component,” Krachman said.

“If you look at it from what the regulations say, there would be little doubt that just allowing a penetration of that sort would be cause for concern,” he said. “It opens vulnerabilities.”

Other than statements issued through a private communications firm, Potomac has declined to comment on the breach. The company, which has several military contracts involving tens of millions of dollars, said it is offering free credit monitoring and identity theft protection to affected employees.

“The privacy and security of personal information is a top priority, and we are committed to taking steps to prevent this type of incident from occurring again in the future,” the statement said.

Vickery writes a blog called Security Watch for security software company MacKeeper. Well-known in tech circles, he is considered an expert who is frequently quoted on the issue and was recognized by Harvard University’s Data Privacy Lab and Patient Privacy Rights with their 2016 Data Detective Award.

He said he uses a public search engine called Showdan.io that searches the internet for devices to find breaches. During a search, he found an open port at Potomac that allowed remote synchronization, or data access from a remote device, Vickery said. Other than the unlikely scenario of a malicious hack, he said it likely meant that someone at the company didn’t know what he or she was doing or had taken a shortcut to avoid using passwords on programs and did not secure the server with a firewall.

The information included a directory with invoices, contracts between Potomac and Booz Allen Hamilton, and all kinds of job descriptions and employees hired by Potomac, he said. There was a database with hiring data and durations of employment as well as documents with all their personal information. It included doctors, nurses, psychiatrists, social workers, physical therapists, as well as job descriptions such as peer network coordinator, nurse case manager and family support coordinator.

He discerned enough to recognize that the health care company was a subcontractor through Booz Allen for the U.S. Special Operations Command’s program called Preservation of the Force and Family. The program embeds medical, physical and mental health care providers with special operations teams to help keep the commandos healthy and fit.

The data included where the providers were based, among them Naval Base Coronado in California and Joint Expeditionary Base Little Creek in Virginia Beach, both homes to Navy SEALs; Camp Lejeune in North Carolina, which houses part of the Marine Special Operations Command; and Fort Carson in Colorado, home to Army Green Berets.
Kenneth McGraw, a spokesman for the U.S. Special Operations Command, said no command or government employee information had been compromised. He said all of the contractors are related to the Preservation of the Force and Families program, including two “data analysts” that Vickery identified.

McGraw said the biggest concern about a breach would be the disclosure of classified, operational, technical or other sensitive information, which was not the case here. Still, that doesn’t remove all risk, he noted.

“While there is no direct impact on the command's members, there is always concern when the personal information of contractors who work at USSOCOM is breached,” he said.

Vickery said breaches of ordinary companies have become so commonplace that he always has material for his blog and he warned that with malicious actors increasingly scouring government sites, the dangers lurk.

“It’s not hard to imagine a Hollywood plot line in which a situation like this results in someone being kidnapped or blackmailed for information,” he wrote in his blog. “Let’s hope that I was the only outsider to come across this gem. Let’s really hope that no hostile entities found it.”

A screenshot shows just one of the pieces of data discovered by cybersecurity researcher Chris Vickery, who exposed a data breach of the personal information of dozens of men and women who go to work daily on military bases and work directly with U.S. special operations forces. COURTESY CHRIS VICKERY